update gitea config

2023-04-19 23:24:14 +02:00 · 2023-04-19 23:24:14 +02:00 · a36838a657
parent bdca8e626c
commit a36838a657
2 changed files with 45 additions and 3 deletions
--- a/base.nix
+++ b/base.nix
@ -18,7 +18,7 @@ in {
      type = types.str;
      example = "example@example.com";
      description = "Email of the admin, use for ACME and stuff";
-    }
+    };
  };
  config = {
    swapDevices = [
@ -32,6 +32,9 @@ in {
    boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"];
    services.qemuGuest.enable = true;

+    system.autoUpgrade.enable = true;
+    system.autoUpgrade.allowReboot = true;
+  
    networking.hostName = "${cfg.name}";
  
    time.timeZone = "Europe/Paris";
--- a/pp-gitea.nix
+++ b/pp-gitea.nix
@ -25,6 +25,11 @@ in
      };
      description= "The package for custom configs like theme.";
    };
+    dbPasswordFile = mkOption {
+      type = types.str;
+      default = "/etc/gitea_db_pwd";
+      description = "The file containing the database password. Be sure to secure it.";
+    };
  };

  config = {
@ -38,8 +43,15 @@ in
    services.gitea.lfs.enable = true;
    services.gitea.domain = cfg.domain;
    # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
-    services.gitea.database.passwordFile = "/var/lib/gitea/gitea-dbpassword";
-    networking.firewall.allowedTCPPorts = [ 3000 ];
+    services.gitea.database.passwordFile = cfg.dbPasswordFile;
+    # Set the permittions for the db file
+    system.activationScripts = {
+      giteaDbFilePermission.text = 
+      ''
+        chmod 400 ${cfg.dbPasswordFile}
+        chown ${config.services.gitea.user} ${cfg.dbPasswordFile}
+      '';
+    };
    environment.systemPackages = with pkgs; [
      gitea
    ];
@ -57,5 +69,32 @@ in
        DESCRIPTION = "Code everywhere";
      };
    };
+  
+
+    # NGINX
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = cfgBase.admin_email;
+    services.nginx = {
+        enable = true;
+        virtualHosts = {
+          "${cfg.domain}" = {
+            forceSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = "http://127.0.0.1:3000";
+              extraConfig = ''
+                proxy_set_header X-Forwarded-Host $host;
+                proxy_set_header X-Forwarded-Server $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header Host $host;
+                proxy_pass_request_headers on;
+              '';
+            };
+          };
+        };
+      };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
 }